You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
103 lines
5.1 KiB
103 lines
5.1 KiB
7 months ago
|
# Version 9.2.2.20240415
|
||
|
|
||
|
[DeploymentServerClients]
|
||
|
search = | tstats count where index=_dsclient `filter_by_client_id("$clientId$")` by \
|
||
|
data.build data.clientId data.connectionId data.dns data.guid data.hostname data.instanceId \
|
||
|
data.instanceName data.ip data.mgmt data.name data.package data.packageType data.splunkVersion data.utsname datetime \
|
||
|
| rename data.* as * \
|
||
|
| dedup clientId sortby -datetime\
|
||
|
| join clientId type=inner max=1 [ \
|
||
|
| search index=_dsphonehome earliest=$reloadTime$ `filter_by_client_id("$clientId$")` \
|
||
|
| rename data.* as * \
|
||
|
| search `filter_by_phonehome($minPhoneHomeTime$)` \
|
||
|
| dedup 4 clientId \
|
||
|
| stats list(lastPhoneHomeTime) as lastPhoneHomeTime latest(_time) as _time by clientId \
|
||
|
| mvexpand lastPhoneHomeTime limit=4 \
|
||
|
| delta lastPhoneHomeTime as phoneHomeInterval \
|
||
|
| eval phoneHomeInterval = if (phoneHomeInterval < 0, 0 - phoneHomeInterval, null) \
|
||
|
| stats latest(lastPhoneHomeTime) as lastPhoneHomeTime latest(updaterRunning) as updaterRunning avg(phoneHomeInterval) as averagePhoneHomeInterval by clientId \
|
||
|
| eval actual_ratio=(now() - lastPhoneHomeTime) / averagePhoneHomeInterval \
|
||
|
| search `filter_by_ratio("$greater_than$", $ratio$)` \
|
||
|
| dedup clientId \
|
||
|
] \
|
||
|
| join clientId type=left max=0 [ \
|
||
|
| search index=_dsappevent earliest=$reloadTime$ `filter_by_client_id("$clientId$")` \
|
||
|
| rename data.* as * \
|
||
|
| dedup key \
|
||
|
| search `filter_by_app("$appName$")` `filter_by_serverclasses("$serverClassNames$")` \
|
||
|
`filter_by_action("$action$")` `filter_by_checksum($checksum$)` `filter_by_error("$has_error$")` \
|
||
|
| stats list(appName) as appName list(serverClassName) as serverClassName \
|
||
|
list(action) as action list(result) as result list(failedReason) as failedReason \
|
||
|
list(checksum) as checksum list(timestamp) as timestamp count(appName) as countApps by clientId \
|
||
|
| eval appName=mvjoin(appName, "#") \
|
||
|
| eval serverClassName=mvjoin(serverClassName, "#") \
|
||
|
| eval action=mvjoin(action, "#") \
|
||
|
| eval result=mvjoin(result, "#") \
|
||
|
| eval failedReason=mvjoin(failedReason, "#") \
|
||
|
| eval checksum=mvjoin(checksum, "#") \
|
||
|
| eval timestamp=mvjoin(timestamp, "#") \
|
||
|
] \
|
||
|
| eval appName=split(appName, "#") \
|
||
|
| eval serverClassName=split(serverClassName, "#") \
|
||
|
| eval action=split(action, "#") \
|
||
|
| eval result=split(result, "#") \
|
||
|
| eval failedReason=split(failedReason, "#") \
|
||
|
| eval checksum=split(checksum, "#") \
|
||
|
| eval timestamp=split(timestamp, "#") \
|
||
|
| search `filter_by_app_count("$has_app_filter$")`
|
||
|
|
||
|
[DeploymentServerClientsBasic]
|
||
|
search = | tstats count where index=_dsclient by \
|
||
|
data.build data.clientId data.connectionId data.dns data.guid data.hostname data.instanceId \
|
||
|
data.instanceName data.ip data.mgmt data.name data.package data.splunkVersion data.utsname datetime\
|
||
|
| rename data.* as * \
|
||
|
| dedup clientId sortby -datetime\
|
||
|
| join clientId type=inner max=1 [search index=_dsphonehome earliest=$reloadTime$ \
|
||
|
| rename data.* as * \
|
||
|
| dedup clientId \
|
||
|
| table clientId lastPhoneHomeTime \
|
||
|
] \
|
||
|
| eventstats count as total \
|
||
|
| head $offset_end$ \
|
||
|
| streamstats count as paginator \
|
||
|
| where paginator>$offset_start$ \
|
||
|
|
||
|
[DeploymentServerClientsByMachineType]
|
||
|
search = | search index=_dsclient earliest=0 | stats latest(data.utsname) as utsname by data.clientId | stats count as clients by utsname
|
||
|
|
||
|
[DeploymentServerAppEvents]
|
||
|
search = | search index=_dsappevent earliest=$reloadTime$ data.clientId IN ($clientIdList$) $result$\
|
||
|
| rename data.* as * \
|
||
|
| dedup key \
|
||
|
| stats list(appName) as appName list(serverClassName) as serverClassName \
|
||
|
list(action) as action list(result) as result list(failedReason) as failedReason \
|
||
|
list(checksum) as checksum list(timestamp) as timestamp count(appName) as countApps by clientId
|
||
|
|
||
|
[DeploymentServerRecentDownloads]
|
||
|
search = | search index=_dsappevent data.action!=Install earliest=$earliest$ \
|
||
|
| stats latest(data.result) as result latest(data.action) as action by data.clientId data.serverClassName data.appName \
|
||
|
| search result=Ok action=Download \
|
||
|
| stats count as downloads
|
||
|
|
||
|
[DeploymentServerEventsWithError]
|
||
|
search = | search index=_dsappevent earliest=$reloadTime$ data.result != Ok \
|
||
|
| rename data.* as * \
|
||
|
| stats latest(failedReason) as failedReason latest(action) as action latest(timestamp) as timestamp by serverClassName, appName, clientId
|
||
|
|
||
|
[DeploymentServerHasDeploymentErrorsPerAppAndServerclass]
|
||
|
search = | search index= _dsappevent earliest=$reloadTime$ $result$ \
|
||
|
$appName$ $serverClassNames$ data.action=Download OR data.action=Install \
|
||
|
| dedup data.clientId | stats count as clients
|
||
|
|
||
|
[DeploymentServerGetPhonehomedClients]
|
||
|
search = | tstats dc(data.clientId) as clients where index=_dsphonehome earliest=$earliest$
|
||
|
|
||
|
[DeploymentServerLookupClient]
|
||
|
search = | search index=_dsclient data.clientId = $clientId$ \
|
||
|
| rename data.* as * \
|
||
|
| head 1
|
||
|
|
||
|
[DeploymentServerGetClientsUri]
|
||
|
search = | search index=_dsclient | strcat "https://" data.ip ":" data.mgmt uri \
|
||
|
| stats latest(_time) as latesttime latest(uri) as clientUri by data.clientId
|